Tuesday, June 13, 2017

Microsoft Patch Tuesday - June 2017

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.


Vulnerabilities Rated Critical

CVE-2017-0283

This is a remote code execution vulnerability in Windows Uniscribe related to improper handling of objects in memory. The attack can result in the attacker gaining full control of the affected system. This can be exploited through multiple vectors including viewing a specially crafted website or a user opening a specially crafted document file.

CVE-2017-0291 / CVE-2017-0292

These are remote code execution vulnerability in Microsoft Windows if a user opens a specially crafted PDF file. The attack results in potential arbitrary code execution in the context of the current user and can be exploited by having the user open a specially crafted PDF file.

CVE-2017-0294

This is a remote code execution vulnerability in Microsoft Windows related to the failure to properly handle cabinet files. This is exploitable by an attacker having a user to open a specially crafted cabinet file or spoofing a network printer and tricking the user into installing a malicious cabinet file disguised as a printer driver.

CVE-2017-8464

This is a remote code execution vulnerability related to the way that Windows Explorer handles LNK files. This vulnerability can be triggered if the icon of a specially crafted shortcut is displayed.

CVE-2017-8496 / CVE-2017-8497

These are remote code execution vulnerabilities in Microsoft's Edge browser related to improper access of objects in memory. This resulting memory corruption can result in arbitrary code execution. These can be exploited by a user visiting a specially crafted website.

CVE-2017-8499

This is a remote code execution vulnerability in the Microsoft Edge JavaScript scripting engine related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted websites.

CVE-2017-8517

This is a remote code execution vulnerability in the JavaScript engine in Microsoft browsers related to improper handling of objects in memory. Exploitation can occur through a specially crafted website resulting in the attacker gaining taking full control of the affected system.

CVE-2017-8520

This is a remote code execution vulnerability in Microsoft Edge JavaScript scripting engine related to the way the engine handles objects in memory. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8522

This is a remote code execution vulnerability in the way the Javascript engines render when handling objects in memory in Microsoft browsers including both Internet Explorer and Edge. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8524

This is a remote code execution in the JavaScript engines in Microsoft Browsers related to improper handling of objects in memory. Exploitation can occur through the viewing of a specially crafted website and can result in the attacker gaining the same user rights as the current user.

CVE-2017-8527

This is a remote code execution vulnerability in the Windows font library related to improper handling of specially crafted embedded fonts. There are multiple ways this vulnerability can be exploited including viewing a specially crafted websites and a specially crafted document opened by the user.

CVE-2017-8528

This is a remote code execution vulnerability in Windows Uniscribe related to improper handling of objects in memory. There are multiple ways this vulnerability can be exploited including viewing a specially crafted websites and a specially crafted document opened by the user.

CVE-2017-8543

This is a remote code execution vulnerability in Windows Search related to the improper handling of objects in memory. This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service.

CVE-2017-8548 / CVE-2017-8549

These are remote code execution vulnerabilities in the JavaScript engines of Microsoft Browsers related to improper handling of objects in memory. This can be exploited by having a user viewing a specially crafted website.

Vulnerabilities Rated as Important

CVE-2017-0173 / CVE-2017-0215 / CVE-2017-0216 / CVE-2017-0218 / CVE-2017-0219

These are security feature bypass vulnerabilities in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session. This can be exploited by an attacker with access to a local machine by injecting malicious code into a script that is trusted by the Code Integrity policy.

CVE-2017-0193

This is a privilege escalation vulnerability in Windows Hyper-V instruction emulation related to improper privilege level enforcement. This vulnerability could be combined with another vulnerability to take advantage of the elevated privileges while running.

CVE-2017-0260 / CVE-2017-8506

These are remote code execution vulnerabilities in Microsoft Office related to improper input validation prior to loading dynamic link library (DLL) files. They can be exploited by a user opening a specially crafted office document and can result in the attacker gaining full control of the affected system.

CVE-2017-0282 / CVE-2017-0284 / CVE-2017-0285

This is an information disclosure vulnerability in Windows Uniscribe related to improper disclosure of the contents of its memory. This can be exploited by having a user open a specially crafted document or visit an untrusted webpage.

CVE-2017-0286 / CVE-2017-0287 / CVE-2017-0288 / CVE-2017-0289

These are information disclosure vulnerabilities in the Windows GDI functionality that results in disclosure of the contents of memory. This can be exploited by a user opening a specially crafted document or convincing a user to access an untrusted webpage.

CVE-2017-0295

This is a tampering vulnerability in Microsoft Windows that allows an authenticated attacker to modify the C:\Users\DEFAULT folder structure. This is exploitable by an authenticated user prior to the target user logging on locally to the computer. Users that have previously logged on to the system are not impacted by this vulnerability.

CVE-2017-0296

This is a privilege escalation vulnerability that impacts Windows 10. The vulnerability is a buffer overrun corruption that can result in escalation of privilege. This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-0297

This is a privilege escalation vulnerability in the Windows Kernel related to the improper handling of objects in memory. This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-0298

This is a privilege escalation vulnerability in the Windows, specifically when a DCOM object in Helppane.exe that is configured to run as the interactive user fails to improperly authenticate a client. Exploitation occurs by an attacker that is logged into the system and executed a specially crafted application that would exploit the vulnerability after another user logged on to the same system via Terminal Services or Fast User Switching.

CVE-2017-0299 / CVE-2017-0300 / CVE-2017-8462

These are information disclosure vulnerabilities in the Windows kernel related to improper initialization of a memory address allowing the attacker to retrieve information to potentially bypass Kernel Address Space Layout Randomization (KASLR). The vulnerabilities can be exploited by an attacker that is logged on to the affected system and executes a specially crafted application.

CVE-2017-8460

This is an information disclosure vulnerability in Microsoft Windows related to a user opening a specially crafted PDF file. This vulnerability can be exploited by an attacker having a user open a specially crafted PDF file.

CVE-2017-8465 / CVE-2017-8466 / CVE-2017-8468

These are use-after-free vulnerability that can result in privilege escalation. This is specifically triggered when the Windows improperly handles objects in memory. These vulnerabilities can be exploited by the attacker logging in locally or convincing a user to execute a specially crafted application.

CVE-2017-8469 / CVE-2017-8470

This is an information disclosure vulnerability related to the way the Windows kernel improperly initializes objects in memory. This can be triggered by an authenticated attacker executing a specially crafted application.

CVE-2017-8471 / CVE-2017-8472 / CVE-2017-8473 / CVE-2017-8474 / CVE-2017-8475 / CVE-2017-8476 / CVE-2017-8477 / CVE-2017-8478 / CVE-2017-8479 / CVE-2017-8480 / CVE-2017-8481 / CVE-2017-8482 / CVE-2017-8483 / CVE-2017-8484 / CVE-2017-8485 / CVE-2017-8488 / CVE-2017-8489 / CVE-2017-8490 / CVE-2017-8491 / CVE-2017-8492 / CVE-2017-8553

These are information disclosure vulnerabilities in the Windows kernel related to improper initialization of objects in memory. Exploitation can occur by an authenticated attacker executing a specially crafted application.

CVE-2017-8493

This is a security feature bypass vulnerability that exists when Microsoft Windows fails to enforce case sensitivity for certain variable checks. This could result in an attacker being able to set variables that are either read-only or require authentication. This can be exploited by an attacker executing a specially crafted application to bypass UEFI variable security in Windows.

CVE-2017-8494

This is a privilege escalation vulnerability related to improper object handling in memory in Windows Secure Kernel Mode. This can be exploited by a locally-authenticated attacker executing a specially crafted application.

CVE-2017-8507

This is a remote code execution vulnerability in Microsoft Outlook related to parsing of specially crafted email messages. This vulnerability is triggered when Microsoft Outlook processes a specially crafted message that allows script execution. This can be exploited by opening a specially crafted email message.

CVE-2017-8508

This is a security feature bypass vulnerability in Microsoft Office related to the improper handling of the parsing of file formats. The vulnerability by itself does not allow arbitrary code execution, but could be used in conjunction with another vulnerability to take advantage of the security feature bypass to execute arbitrary code. This can be exploited by having a user open a specially crafted file.

CVE-2017-8509 / CVE-2017-8510 / CVE-2017-8511 / CVE-2017-8512 / CVE-2017-8513

These are remote code execution in Microsoft Office related to improper handling of objects in memory. Exploitation occurs when a user opens a specially crafted file. This file could be delivered via an email message or be hosted on a website.

CVE-2017-8514

This is a reflective cross site scripting vulnerability in Microsoft SharePoint Server related to improper sanitization of specially crafted requests. This can be exploited by sending a specially crafted request to an affected SharePoint server and will run the script in the security context of the current user. The request could be delivered via both email message or through a specially crafted URL on a website.

CVE-2017-8515

This is a denial of service vulnerability in Microsoft Windows that is triggered when an unauthenticated attacker sends a specially crafted kernel mode request. This attack could cause a denial of service on the target system, requiring a reboot to resolve.

CVE-2017-8519

This is a remote code execution vulnerability in Internet Explorer related to the objects in memory are improperly accessed. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8521

This is a remote code execution vulnerability in Microsoft Edge JavaScript scripting engine related to the way the engine handles objects in memory. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8523

This is a security feature bypass vulnerability in Microsoft Edge related to a failure to correctly apply Same Origin Policy for HTML elements present in other browser windows. This vulnerability could be leveraged to trick a user into loading a page with malicious content when a user visits a specially crafted website.

CVE-2017-8529

This is an information disclosure vulnerability that targets both Internet Explorer and Edge. The vulnerability resides specifically in print preview and can be triggered by browsing to a specially crafted URL.

CVE-2017-8530

This is a security feature bypass vulnerability in Microsoft Edge related to a failure to correctly enforce Same Origin Policies potentially allowing an attacker to access information from origins outside of the current one. This vulnerability could be leveraged to trick a user into loading a page with malicious content when a user visits a specially crafted website.

CVE-2017-8531 / CVE-2017-8532 / CVE-2017-8533

These are information disclosure vulnerabilities in the Windows CDI component related to improper disclosure of the contents of its memory. They can be exploited by having a user open a specially crafted document or visit an untrusted webpage.

CVE-2017-8534

This is an information disclosure vulnerability in Windows Uniscribe related to the improper disclosure of the contents of its memory. There are multiple ways to exploit this vulnerability including having the user open a specially crafted document of having them visit an untrusted webpage.

CVE-2017-8544

This is an information disclosure vulnerability in Windows Search related to improper handling of objects in memory. This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service.

CVE-2017-8545

This is a spoofing vulnerability in Microsoft Office for Mac related to the improper sanitization of html or treat it in a safe manner. This can be exploited by sending an email with specific HTML tags that display a malicious authentication prompt and could provide the attacker a user's authentication information or login credentials.

CVE-2017-8547

This is a remote code execution vulnerability in Internet Explorer related to improper access of objects in memory. The vulnerability could result in corrupt memory that can be leveraged to execute arbitrary code. Exploitation can occur by having a user view a specially crafted website.

CVE-2017-8550

This is a remote code execution vulnerability in Skype for Business and Microsoft Lync Servers related to a failure to properly sanitize specially crafted content. An authenticated attacker could leverage this vulnerability to execute HTML and JavaScript content in the Skype for Business of Lync context including opening a web page using the default browser or opening another messaging session with another user. Exploitation would require an attacker to invite a user to an instant message session and then send a message that contains specially crafted JavaScript content.

CVE-2017-8551

This is a privilege escalation vulnerability in SharePoint Server related to the improper sanitization of a specially crafted web request. Successful exploitation could result in cross-site scripting attacks on affected systems and the script running in the security context of the current user. Exploitation occurs by an authenticated attacker sending a specially crafted request to an affected SharePoint Server.

CVE-2017-8555

This is a security feature bypass vulnerability in Microsoft Edge related to improper validation of specially crafted documents in the Edge Content Security Policy. This vulnerability could be leveraged to trick a user into loading a web page with malicious content. Exploitation occurs through a user viewing a specially crafted webpage.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort Rules:
17042
24500
43155-43166
43169-43176

1 comment:

  1. When applying these rules, would you recommenced applying them to our inside->outside policy. outside->inside policy, or both?

    ReplyDelete

Post a Comment